SubRosaSoft has me stumped

Stephen Withers
Friday, 14 March 2008 08:10

Opinion and Analysis

As Stuart Corner pointed out, SubRosaSoft's MacForensicsLab recently published a white paper describing the history of malware and recommending some changes that Apple could make to improve Mac OS X security. But would those changes really help?

The biggest flaw in SubRosaSoft's argument is the incorrect assertion that the Applications folder is totally unprotected. In a standard setup, only the system and admin groups have write access, so a normal user can't add or modify files in that folder.

Similarly, ordinary users have read-only access to individual applications such as iTunes. You need to be in the system or admin group to gain write access.

(This is where you can criticise Apple for its default 'single-user is admin' setup if you wish, but I can't accept an argument that a user with admin rights is an ordinary user.)

The first page of Stuart's article slightly misquotes the Subrosasoft paper. The idea put forward is not that you would replace (eg) iTunes in the Applications folder, but that you would change the executable code within the iTunes bundle.

Let's assume for a moment that there is a way of escalating privileges that would allow such an attack from a normal user account. What would stop someone from replacing executable code even if Apple didn't use bundles? The same strategy would still work. A bundle is just a folder that the OS presents to the user as a single file.

At least some users have to have write access to the Applications folder, or they wouldn't be able to install applications there so that they are available to all users. Given that files can be hidden, I really don't see how bundles make any real difference to security either way.